<member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename></member>
<member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.cred</filename></member>
<member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.raw</filename></member>
+ <member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.sysext.raw</filename></member>
+ <member><filename><replaceable>ESP</replaceable>/.../<replaceable>foo</replaceable>.efi.extra.d/*.confext.raw</filename></member>
<member><filename><replaceable>ESP</replaceable>/loader/addons/*.addon.efi</filename></member>
<member><filename><replaceable>ESP</replaceable>/loader/credentials/*.cred</filename></member>
</simplelist></para>
details on encrypted credentials. The generated <command>cpio</command> archive is measured into TPM
PCR 12 (if a TPM is present).</para></listitem>
- <listitem><para>Similarly, files <filename><replaceable>foo</replaceable>.efi.extra.d/*.raw</filename>
- are packed up in a <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename>
- directory in the initrd file hierarchy. This is supposed to be used to pass additional system extension
- images to the initrd. See
+ <listitem><para>Similarly, files
+ <filename><replaceable>foo</replaceable>.efi.extra.d/*.sysext.raw</filename> are packed up in a
+ <command>cpio</command> archive and placed in the <filename>/.extra/sysext/</filename> directory in the
+ initrd file hierarchy. This is supposed to be used to pass additional system extension images to the
+ initrd. See
<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
details on system extension images. The generated <command>cpio</command> archive containing these
system extension images is measured into TPM PCR 13 (if a TPM is present).</para></listitem>
+ <!-- Note: the actual suffix we look for for sysexts is just *.raw (not *.sysext.raw), for
+ compatibility reasons with old versions. But we want people to name their system extensions
+ properly, hence we document the *.sysext.raw suffix only. -->
+
+ <listitem><para>Similarly, files
+ <filename><replaceable>foo</replaceable>.efi.extra.d/*.confext.raw</filename> are packed up in a
+ <command>cpio</command> archive and placed in the <filename>/.extra/confext/</filename> directory in
+ the initrd file hierarchy. This is supposed to be used to pass additional configuration extension
+ images to the initrd. See
+ <citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
+ details on configuration extension images. The generated <command>cpio</command> archive containing
+ these system extension images is measured into TPM PCR 12 (if a TPM is present).</para></listitem>
+
<listitem><para>Similarly, files
<filename><replaceable>foo</replaceable>.efi.extra.d/*.addon.efi</filename> are loaded and verified as
PE binaries, and a <literal>.cmdline</literal> section is parsed from them. Addons are supposed to be
<para>Also note that the Linux kernel will measure all initrds it receives into TPM PCR 9. This means
every type of initrd will be measured two or three times: the initrd embedded in the kernel image will be
- measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials will be measured to both PCR
- 9 and PCR 12; the initrd synthesized from system extensions will be measured to both PCR 4 and PCR
- 9. Let's summarize the OS resources and the PCRs they are measured to:</para>
+ measured to PCR 4, PCR 9 and PCR 11; the initrd synthesized from credentials (and the one synthesized
+ from configuration extensions) will be measured to both PCR 9 and PCR 12; the initrd synthesized from
+ system extensions will be measured to both PCR 4 and PCR 9. Let's summarize the OS resources and the PCRs
+ they are measured to:</para>
<table>
<title>OS Resource PCR Summary</title>
<entry>System Extensions (synthesized initrd from companion files)</entry>
<entry>9 + 13</entry>
</row>
+
+ <row>
+ <entry>Configuration Extensions (synthesized initrd from companion files)</entry>
+ <entry>9 + 12</entry>
+ </row>
</tbody>
</tgroup>
</table>
<varlistentry>
<term><varname>StubPcrInitRDSysExts</varname></term>
- <listitem><para>The PCR register index the systemd extensions for the initrd, which are picked up
- from the file system the kernel image is located on. Formatted as decimal ASCII string (e.g.
+ <listitem><para>The PCR register index the system extensions for the initrd, which are picked up from
+ the file system the kernel image is located on. Formatted as decimal ASCII string (e.g.
<literal>13</literal>). This variable is set if a measurement was successfully completed, and remains
unset otherwise.</para>
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>StubPcrInitRDConfExts</varname></term>
+
+ <listitem><para>The PCR register index the configuration extensions for the initrd, which are picked
+ up from the file system the kernel image is located on. Formatted as decimal ASCII string (e.g.
+ <literal>12</literal>). This variable is set if a measurement was successfully completed, and remains
+ unset otherwise.</para>
+
+ <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+ </varlistentry>
</variablelist>
<para>Note that some of the variables above may also be set by the boot loader. The stub will only set
</varlistentry>
<varlistentry>
- <term><filename>/.extra/sysext/*.raw</filename></term>
- <listitem><para>System extension image files (suffix <literal>.raw</literal>) that are placed next to
- the unified kernel image (as described above) are copied into the
+ <term><filename>/.extra/sysext/*.sysext.raw</filename></term>
+ <listitem><para>System extension image files (suffix <literal>.sysext.raw</literal>) that are placed
+ next to the unified kernel image (as described above) are copied into the
<filename>/.extra/sysext/</filename> directory in the initrd execution environment.</para>
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><filename>/.extra/confext/*.confext.raw</filename></term>
+ <listitem><para>Configuration extension image files (suffix <literal>.confext.raw</literal>) that are
+ placed next to the unified kernel image (as described above) are copied into the
+ <filename>/.extra/confext/</filename> directory in the initrd execution environment.</para>
+
+ <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+ </varlistentry>
+
<varlistentry>
<term><filename>/.extra/tpm2-pcr-signature.json</filename></term>
<listitem><para>The TPM2 PCR signature JSON object included in the <literal>.pcrsig</literal> PE
uint64_t flag;
const char *name;
} stub_flags[] = {
- { EFI_STUB_FEATURE_REPORT_BOOT_PARTITION, "Stub sets ESP information" },
- { EFI_STUB_FEATURE_PICK_UP_CREDENTIALS, "Picks up credentials from boot partition" },
- { EFI_STUB_FEATURE_PICK_UP_SYSEXTS, "Picks up system extension images from boot partition" },
- { EFI_STUB_FEATURE_THREE_PCRS, "Measures kernel+command line+sysexts" },
- { EFI_STUB_FEATURE_RANDOM_SEED, "Support for passing random seed to OS" },
- { EFI_STUB_FEATURE_CMDLINE_ADDONS, "Pick up .cmdline from addons" },
- { EFI_STUB_FEATURE_CMDLINE_SMBIOS, "Pick up .cmdline from SMBIOS Type 11" },
- { EFI_STUB_FEATURE_DEVICETREE_ADDONS, "Pick up .dtb from addons" },
+ { EFI_STUB_FEATURE_REPORT_BOOT_PARTITION, "Stub sets ESP information" },
+ { EFI_STUB_FEATURE_PICK_UP_CREDENTIALS, "Picks up credentials from boot partition" },
+ { EFI_STUB_FEATURE_PICK_UP_SYSEXTS, "Picks up system extension images from boot partition" },
+ { EFI_STUB_FEATURE_PICK_UP_CONFEXTS, "Picks up configuration extension images from boot partition" },
+ { EFI_STUB_FEATURE_THREE_PCRS, "Measures kernel+command line+sysexts" },
+ { EFI_STUB_FEATURE_RANDOM_SEED, "Support for passing random seed to OS" },
+ { EFI_STUB_FEATURE_CMDLINE_ADDONS, "Pick up .cmdline from addons" },
+ { EFI_STUB_FEATURE_CMDLINE_SMBIOS, "Pick up .cmdline from SMBIOS Type 11" },
+ { EFI_STUB_FEATURE_DEVICETREE_ADDONS, "Pick up .dtb from addons" },
};
_cleanup_free_ char *fw_type = NULL, *fw_info = NULL, *loader = NULL, *loader_path = NULL, *stub = NULL;
sd_id128_t loader_part_uuid = SD_ID128_NULL;
EFI_LOADED_IMAGE_PROTOCOL *loaded_image,
const char16_t *dropin_dir,
const char16_t *match_suffix,
+ const char16_t *exclude_suffix,
const char *target_dir_prefix,
uint32_t dir_mode,
uint32_t access_mode,
continue;
if (match_suffix && !endswith_no_case(dirent->FileName, match_suffix))
continue;
+ if (exclude_suffix && endswith_no_case(dirent->FileName, exclude_suffix))
+ continue;
if (!is_ascii(dirent->FileName))
continue;
if (strlen16(dirent->FileName) > 255) /* Max filename size on Linux */
EFI_LOADED_IMAGE_PROTOCOL *loaded_image,
const char16_t *dropin_dir,
const char16_t *match_suffix,
+ const char16_t *exclude_suffix,
const char *target_dir_prefix,
uint32_t dir_mode,
uint32_t access_mode,
EFI_STUB_FEATURE_REPORT_BOOT_PARTITION | /* We set LoaderDevicePartUUID */
EFI_STUB_FEATURE_PICK_UP_CREDENTIALS | /* We pick up credentials from the boot partition */
EFI_STUB_FEATURE_PICK_UP_SYSEXTS | /* We pick up system extensions from the boot partition */
+ EFI_STUB_FEATURE_PICK_UP_CONFEXTS | /* We pick up configuration extensions from the boot partition */
EFI_STUB_FEATURE_THREE_PCRS | /* We can measure kernel image, parameters and sysext */
EFI_STUB_FEATURE_RANDOM_SEED | /* We pass a random seed to the kernel */
EFI_STUB_FEATURE_CMDLINE_ADDONS | /* We pick up .cmdline addons */
}
static EFI_STATUS run(EFI_HANDLE image) {
- _cleanup_free_ void *credential_initrd = NULL, *global_credential_initrd = NULL, *sysext_initrd = NULL, *pcrsig_initrd = NULL, *pcrpkey_initrd = NULL;
- size_t credential_initrd_size = 0, global_credential_initrd_size = 0, sysext_initrd_size = 0, pcrsig_initrd_size = 0, pcrpkey_initrd_size = 0;
+ _cleanup_free_ void *credential_initrd = NULL, *global_credential_initrd = NULL, *sysext_initrd = NULL, *confext_initrd = NULL, *pcrsig_initrd = NULL, *pcrpkey_initrd = NULL;
+ size_t credential_initrd_size = 0, global_credential_initrd_size = 0, sysext_initrd_size = 0, confext_initrd_size = 0, pcrsig_initrd_size = 0, pcrpkey_initrd_size = 0;
void **dt_bases_addons_global = NULL, **dt_bases_addons_uki = NULL;
char16_t **dt_filenames_addons_global = NULL, **dt_filenames_addons_uki = NULL;
_cleanup_free_ size_t *dt_sizes_addons_global = NULL, *dt_sizes_addons_uki = NULL;
_cleanup_free_ char16_t *cmdline = NULL, *cmdline_addons_global = NULL, *cmdline_addons_uki = NULL;
int sections_measured = -1, parameters_measured = -1;
_cleanup_free_ char *uname = NULL;
- bool sysext_measured = false, m;
+ bool sysext_measured = false, confext_measured = false, m;
uint64_t loader_features = 0;
EFI_STATUS err;
export_variables(loaded_image);
if (pack_cpio(loaded_image,
- NULL,
+ /* dropin_dir= */ NULL,
u".cred",
+ /* exclude_suffix= */ NULL,
".extra/credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
if (pack_cpio(loaded_image,
u"\\loader\\credentials",
u".cred",
+ /* exclude_suffix= */ NULL,
".extra/global_credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
if (pack_cpio(loaded_image,
- NULL,
- u".raw",
+ /* dropin_dir= */ NULL,
+ u".raw", /* ideally we'd pick up only *.sysext.raw here, but for compat we pick up *.raw instead … */
+ u".confext.raw", /* … but then exclude *.confext.raw again */
".extra/sysext",
/* dir_mode= */ 0555,
/* access_mode= */ 0444,
&m) == EFI_SUCCESS)
sysext_measured = m;
+ if (pack_cpio(loaded_image,
+ /* dropin_dir= */ NULL,
+ u".confext.raw",
+ /* exclude_suffix= */ NULL,
+ ".extra/confext",
+ /* dir_mode= */ 0555,
+ /* access_mode= */ 0444,
+ /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
+ u"Configuration extension initrd",
+ &confext_initrd,
+ &confext_initrd_size,
+ &m) == EFI_SUCCESS)
+ confext_measured = m;
+
dt_size = szs[UNIFIED_SECTION_DTB];
dt_base = dt_size != 0 ? POINTER_TO_PHYSICAL_ADDRESS(loaded_image->ImageBase) + addrs[UNIFIED_SECTION_DTB] : 0;
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM2_PCR_KERNEL_CONFIG, 0);
if (sysext_measured)
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM2_PCR_SYSEXTS, 0);
+ if (confext_measured)
+ (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDConfExts", TPM2_PCR_KERNEL_CONFIG, 0);
/* If the PCR signature was embedded in the PE image, then let's wrap it in a cpio and also pass it
* to the kernel, so that it can be read from /.extra/tpm2-pcr-signature.json. Note that this section
initrd_base = initrd_size != 0 ? POINTER_TO_PHYSICAL_ADDRESS(loaded_image->ImageBase) + addrs[UNIFIED_SECTION_INITRD] : 0;
_cleanup_pages_ Pages initrd_pages = {};
- if (credential_initrd || global_credential_initrd || sysext_initrd || pcrsig_initrd || pcrpkey_initrd) {
+ if (credential_initrd || global_credential_initrd || sysext_initrd || confext_initrd || pcrsig_initrd || pcrpkey_initrd) {
/* If we have generated initrds dynamically, let's combine them with the built-in initrd. */
err = combine_initrd(
initrd_base, initrd_size,
credential_initrd,
global_credential_initrd,
sysext_initrd,
+ confext_initrd,
pcrsig_initrd,
pcrpkey_initrd,
},
credential_initrd_size,
global_credential_initrd_size,
sysext_initrd_size,
+ confext_initrd_size,
pcrsig_initrd_size,
pcrpkey_initrd_size,
},
- 5,
+ 6,
&initrd_pages, &initrd_size);
if (err != EFI_SUCCESS)
return err;
credential_initrd = mfree(credential_initrd);
global_credential_initrd = mfree(global_credential_initrd);
sysext_initrd = mfree(sysext_initrd);
+ confext_initrd = mfree(confext_initrd);
pcrsig_initrd = mfree(pcrsig_initrd);
pcrpkey_initrd = mfree(pcrpkey_initrd);
}
#define EFI_STUB_FEATURE_CMDLINE_ADDONS (UINT64_C(1) << 5)
#define EFI_STUB_FEATURE_CMDLINE_SMBIOS (UINT64_C(1) << 6)
#define EFI_STUB_FEATURE_DEVICETREE_ADDONS (UINT64_C(1) << 7)
+#define EFI_STUB_FEATURE_PICK_UP_CONFEXTS (UINT64_C(1) << 8)
typedef enum SecureBootMode {
SECURE_BOOT_UNSUPPORTED,
projects / thirdparty / systemd.git / commitdiff
